Post navigation

In 2013, California healthcare provider Cottage Health System discovered that security on one of its servers had been disabled, leaving tens of thousands of patients’ files potentially open and exposed on the internet.

Those files included patients’ names, addresses, dates of birth, and in a few cases, their diagnosis, lab results and procedures performed.

Cottage was sued, along with inSync, a Laguna Hills-based company responsible for putting the records in a secure location online.

Imagine the expenses rolling in: Class action lawsuit, ka-ching!

Cyber forensic investigators to figure out what happened, security consultants to analyse and scrub the malware away, affected patients notified and (typically, at any rate) offered credit monitoring services, business lost due to newly cautious customers – all of it costs big bucks, ka-ching, ka-ching!

Good thing the healthcare provider had insurance to cover such a data breach, eh?

Well, it would have been a bit of a relief, if the insurer hadn’t scratched its head and shrugged its shoulders, pointing to a clause in the policy that means it doesn’t have to pay out when the insured party has been bone-headed about its security.

Cottage’s insurer, Columbia Casualty, earlier in May filed a complaint against Cottage Health System, claiming that whatever money it had to pay out under the policy would have to be paid right back to it, for the same reasons that the class action lawsuit had been filed: because the healthcare provider allegedly failed to follow “minimum required practices” as spelled out in the insurance policy.

Specifically, the insurer is claiming that Cottage “stored medical records on a system that was fully accessible to the internet but failed to install encryption or take other security measures to protect patient information from becoming available to anyone who ‘surfed’ the internet.”

The patient data had been exposed for about about two months, starting in October 2013.

It’s not like the company was jumped on by cyber attackers, per se. Rather, the data was accessible via the public internet and to Google search.

That makes it tough to know who might have accessed the data.

In fact, anyone could have viewed the records during those two months, the complaint states, adding that the “extent of the breach is enormous.”

While Cottage is looking for about $4 million (about £2.6 million) from its insurer to cover both damages related to the incident as well as potential fines from a Department of Justice investigation of possible violations of HIPAA – the federal Health Insurance Portability and Accountability Act – Columbia is looking to recoup anything it has to pay out.

Some of the alleged security failings that Columbia is hoping will get it out of paying damages:

Cottage and its third-party vendor, inSync, allegedly failed “to continuously implement the procedures and risk controls identified in its application” for the coverage, including…

Configuration and change management for Cottage’s IT systems as well as regular patch management.

All of which point to cyber insurance being a wise choice – potentially, if you can find one that doesn’t wiggle its way out of paying for the vast majority of data breaches a business may well endure.

In fact, AON PLC, the world’s largest reinsurance broker, claimed in October 2014 that the cyber insurance market was at the time growing at 38% annually.

But oh, those gotchas – they can kick you right in the shins right when you need that policy the most.

As Dark Reading notes in its interview with Linde and Jake Kouns of Risk Based Security, insurers can weasel out of covering data breaches for a host of reasons, including:

Not paying retroactively.
Given that breaches can be discovered months or even years after they begin or end, organisations should carefully consider when coverage starts.

Terrorism/act of foreign enemy exclusions.
Many cyber attacks originate from outside a country’s borders, and many of them are believed to be state sponsored. Depending on the policy’s wording, your organisation could be left high and dry. Experts advise negotiating the removal of such exclusions to ensure organisations are covered by an attack coming from outside the country.

Lack of coverage for negligence.
Insurers are starting to cover only data theft, not negligence. If an employee loses a laptop with sensitive data, some policies won’t cover it.

Those are just a few of the things to watch out for when purchasing cyber insurance.

It’s a new, growing insurance product, and that means it’s still evolving.

It’s worth getting, but it should go without saying that getting insurance doesn’t mean the job of securing data is done.

That’s just one tick mark on a list of securing an organisation’s digital assets.

If Columbia’s allegations of Cottage and inSync’s security failings are true, who can blame the insurer for not paying out?

InSync is just an advanced Google Drive client…
They were literally sending patient data to a cloud service which they do not control (and through a 3rd party that doesn’t advertise HIPAA compliance, no less!).
…
They were asking for it.